"Cisco Releases 10 Security Patches For Expressway Series And TelePresence VCS Products"
Cisco has recently rolled out patches for security flaws across multiple versions of its products. In an advisory, Cisco disclosed the patches and described two of the vulnerabilities, one of which was rated Critical in severity. In the advisory, Cisco stated that a vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user. Cisco noted that these vulnerabilities affect Cisco Expressway Series software and Cisco TelePresence VCS software if they are in the default configuration. Tracked under CVE-2022-20812, the first of these two vulnerabilities have a CVSS Base Score of 9.0 and is reportedly due to insufficient input validation of user-supplied command arguments. Cisco noted that an attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user. Cisco also addressed the Expressway Series and Cisco TelePresence VCS Null Byte Poisoning Vulnerability (CVE-2022-20813), which has a CVSS Base Score of 7.4. A vulnerability in the certificate validation of the Cisco Expressway Series and Cisco TelePresence VCS, this flaw could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data. Cisco noted that this vulnerability is due to improper certificate validation. The company stated that they released software updates that address both vulnerabilities and are urging system admins to upgrade as soon as possible as there are no workarounds that can be used to address the flaws.